Bug 1822461

Pawel, can you backport the patches to 1-16 branch?

Hi Pavel, it is done.
Upstream PR: https://github.com/SSSD/sssd/pull/1023
I have tested it locally and it is working. Should I provide test build here too?

* `sssd-1-16`
    * d93b4fe14b0f72bd8311497d18204f153c104007 - SYSDB: Cache selector as enum
    * 838db4382d064924b73221272d47eef04cd6d57d - LDAP: Netgroups refresh in background task

Versions:
sssd-common-pac-1.16.5-2.el7.x86_64
sssd-krb5-1.16.5-2.el7.x86_64
sssd-proxy-1.16.5-2.el7.x86_64
sssd-1.16.5-2.el7.x86_64
python-sssdconfig-1.16.5-2.el7.noarch
sssd-client-1.16.5-2.el7.x86_64
sssd-krb5-common-1.16.5-2.el7.x86_64
sssd-ipa-1.16.5-2.el7.x86_64
sssd-ldap-1.16.5-2.el7.x86_64
sssd-tools-1.16.5-2.el7.x86_64
sssd-common-1.16.5-2.el7.x86_64
sssd-ad-1.16.5-2.el7.x86_64
sssd-dbus-1.16.5-2.el7.x86_64
sssd-kcm-1.16.5-2.el7.x86_64
sssd-winbind-idmap-1.16.5-2.el7.x86_64


Configure sssd.conf as shown below:


[sssd]
config_file_version = 2
services = nss, pam
domains = example1

[domain/example1]
ldap_search_base = dc=example,dc=test
id_provider = ldap
auth_provider = ldap
ldap_user_home_directory = /home/%u
ldap_uri = ldaps://cloud-qe-19.idmqe.lab.eng.bos.redhat.com
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
use_fully_qualified_names = True
debug_level = 9
entry_cache_timeout=30
refresh_expired_interval=22


1. Create a netgroup netgroup_1 as shown below:

dn: cn=netgroup_1,ou=Netgroups,dc=example,dc=test
objectClass: top
objectClass: nisNetgroup
cn: netgroup_1
nisNetgroupTriple: (,foo1, EXAMPLE.TEST)

2. [root@cloud-qe-19 sssd]# ldapadd  -x -D "cn=Directory manager" -w Secret123 -h localhost -f /root/a.ldif
adding new entry "cn=netgroup_1,ou=Netgroups,dc=example,dc=test"

3. Query netgroup_1 

[root@cloud-qe-19 sssd]# getent netgroup netgroup_1
netgroup_1            ( ,foo1,EXAMPLE.TEST)

4. Check the sssd cache. 
[root@cloud-qe-19 db]# ldbsearch -H cache_example1.ldb -b cn=Netgroups,cn=example1,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=netgroup_1,cn=Netgroups,cn=example1,cn=sysdb
createTimestamp: 1587730317
name: netgroup_1
objectClass: netgroup
originalDN: cn=netgroup_1,ou=Netgroups,dc=example,dc=test
originalModifyTimestamp: 20200424121149Z
netgroupTriple: (,foo1, EXAMPLE.TEST)
lastUpdate: 1587730317
dataExpireTimestamp: 1587730347
distinguishedName: name=netgroup_1,cn=Netgroups,cn=example1,cn=sysdb

5. Modify the netgroup_1 in ldap to include hostname
[root@cloud-qe-19 db]# cat /root/b.ldif 
dn: cn=netgroup_1,ou=Netgroups,dc=example,dc=test
changetype: modify
replace: nisNetgroupTriple
nisNetgroupTriple: (cloud-qe-19.idmqe.lab.eng.bos.redhat.com, foo1, EXAMPLE.TEST)

[root@cloud-qe-19 db]# ldapmodify -x -D "cn=Directory Manager" -w Secret123 -h localhost -f /root/b.ldif 
modifying entry "cn=netgroup_1,ou=Netgroups,dc=example,dc=test"

6. Wait for 30 seconds and check the cache, the cache should automatically updated with updated netgroup information:
[root@cloud-qe-19 db]# ldbsearch -H cache_example1.ldb -b cn=Netgroups,cn=example1,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=netgroup_1,cn=Netgroups,cn=example1,cn=sysdb
createTimestamp: 1587730317
name: netgroup_1
objectClass: netgroup
originalDN: cn=netgroup_1,ou=Netgroups,dc=example,dc=test
originalModifyTimestamp: 20200424121504Z
netgroupTriple: (cloud-qe-19.idmqe.lab.eng.bos.redhat.com, foo1, EXAMPLE.TEST)
lastUpdate: 1587730543
dataExpireTimestamp: 1587730573
distinguishedName: name=netgroup_1,cn=Netgroups,cn=example1,cn=sysdb


As shown below the cache gets updated automatically.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3904